Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sylvain
Participant

[VPN] [AWS] Issue when rekeying the phase 1

Checkpoint version : R80.40.

Peer gateway : AWS

 

Hello all,

We have an issue with a tunnel VPN. The tunnel goes UP with no problem, the streams are encrypted and sent inside the tunnel. Until here, no problem.

 

But once the phase 1 expires, and it tries to rekey, the streams don't pass anymore in the tunnel, even if the tunnel is UP, and seems to be OK with the rekey (new SA and new SPI, shown with vpn tu).

We are obliged to reset the tunnel before the streams run again.

 

We have noticed that at every phase 1 rekeying, we drop packets from peer gateway because of "Unknown SPI: 0xXXXXXXXX for IPsec packet.".

We have this error message too on ESP packets : "Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found".

 

We've activated the keep_ike_sa, changed the VPN tunnel parameters as recomended by AWS, changed the value of the DPD Timeout action in the peer gateway, but nothing has fixed the issue.

 

Hope to find the solution here.

 

Many thanks.

0 Kudos
2 Replies
Chris_Atkinson
Employee
Employee

Hi,

Please review sk108600 scenario 4 if not already.

Regards,

Chris

Sylvain
Participant

Hi Chris, thank you for your fast answer.

 

After checking the value of ike_keep_child_sa_interop_devices, it is set to false.

Acording to the SK, changing the value to true may resolve the issue, but before applying the change, I want to know w hat impacts it can have on other stable vpn connections ? Is there a risk to do it ?

 

Many thanks.

Kind regards.

0 Kudos